web-search

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] This SKILL.md appears coherent and its capabilities align with its stated purpose (hosted web search and extraction via the inference.sh CLI). There are no direct signs of obfuscated or intentionally malicious code inside this skill documentation. However, it relies on executing a remote install script and on sending user queries and URL content to vendor-hosted backends (inference.sh / dist.inference.sh). Those supply-chain and privacy risks make this skill SUSPICIOUS rather than benign: a compromised installer or backend could harvest credentials or exfiltrate sensitive content. If you plan to use it, review the installer script and checksum verification process before running curl | sh, and avoid sending sensitive URLs or secrets to the service. LLM verification: This SKILL.md describes a coherent hosted web-search/extraction skill that uses the inference.sh CLI to run Tavily and Exa apps. The functionality matches its stated purpose. The main security concerns are the recommended 'curl | sh' installer pattern (executing a remote installer) and the fact that all user queries, URLs, and login credentials are handled by a third-party backend (inference.sh / dist.inference.sh / tavily / exa). No direct signs of obfuscation, hardcoded secrets, or code-level